Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication Applications

 will consider authentication functions  developed to support application-level authentication & digital signatures  will consider Kerberos private-key authentication service Kerberos private-key authentication service X.509 public-key directory authentication X.509 public-key directory authentication public-key infrastructure (PKI) public-key infrastructure (PKI) federated identity management federated identity management Internet Authentication Applications

Kerberos  trusted key server system from MIT  provides centralised private-key third-party authentication in a distributed network allows users access to services distributed through network allows users access to services distributed through network without needing to trust all workstations without needing to trust all workstations rather all trust a central authentication server rather all trust a central authentication server  two versions in use: 4 & 5

Kerberos Overview  a basic third-party authentication scheme  have an Authentication Server (AS) users initially negotiate with AS to identify self users initially negotiate with AS to identify self AS provides a non-corruptible authentication credential (ticket granting ticket TGT) AS provides a non-corruptible authentication credential (ticket granting ticket TGT)  have a Ticket Granting server (TGS) users subsequently request access to other services from TGS on basis of users TGT users subsequently request access to other services from TGS on basis of users TGT

Kerberos Overview

Kerberos Realms  a Kerberos environment consists of: a Kerberos server a Kerberos server a number of clients, all registered with server a number of clients, all registered with server application servers, sharing keys with server application servers, sharing keys with server  this is termed a realm typically a single administrative domain typically a single administrative domain  if have multiple realms, their Kerberos servers must share keys and trust

Kerberos Realms

Kerberos Version 5  Kerberos v4 is most widely used version  also have v5, developed in mid 1990’s specified as Internet standard RFC 1510 specified as Internet standard RFC 1510  provides improvements over v4 addresses environmental shortcomings addresses environmental shortcomings encryption alg, network protocol, byte order, ticket lifetime, authentication forwarding, inter-realm authencryption alg, network protocol, byte order, ticket lifetime, authentication forwarding, inter-realm auth and technical deficiencies and technical deficiencies double encryption, non-std mode of use, session keys, password attacksdouble encryption, non-std mode of use, session keys, password attacks

Kerberos Performance Issues  see larger client-server installations  query Kerberos performance impact very little if system is properly configured very little if system is properly configured since tickets are reusable since tickets are reusable  Kerberos security best assured if place its server on a separate, isolated machine  administrative motivation for multi realms not a performance issue not a performance issue

Certificate Authorities  certificate consists of: a public key plus a User ID of the key owner a public key plus a User ID of the key owner signed by a third party trusted by community signed by a third party trusted by community often govt./bank certificate authority (CA) often govt./bank certificate authority (CA)  users obtain certificates from CA create keys & unsigned cert, gives to CA, CA signs cert & attaches sig, returns to user create keys & unsigned cert, gives to CA, CA signs cert & attaches sig, returns to user  other users can verify cert checking sig on cert using CA’s public key checking sig on cert using CA’s public key

X.509 Authentication Service  universally accepted standard for formatting public-key certificates widely used in network security applications, including IPSec, SSL, SET, and S/MIME widely used in network security applications, including IPSec, SSL, SET, and S/MIME  part of CCITT X.500 directory service standards  uses public-key crypto & digital signatures algorithms not standardised, but RSA recommended algorithms not standardised, but RSA recommended

X.509 Certificates

Public Key Infrastructure

PKIX Management  functions: registration registration initialization initialization certification certification key pair recovery key pair recovery key pair update key pair update revocation request revocation request cross certification cross certification  protocols: CMP, CMC

Federated Identity Management  use of common identity management scheme across multiple enterprises & numerous applications across multiple enterprises & numerous applications supporting many thousands, even millions of users supporting many thousands, even millions of users  principal elements are: authentication, authorization, accounting, provisioning, workflow automation, delegated administration, password synchronization, self-service password reset, federation authentication, authorization, accounting, provisioning, workflow automation, delegated administration, password synchronization, self-service password reset, federation  Kerberos contains many of these elements

Identity Management

Federated Identity Management

Standards Used  Extensible Markup Language (XML) characterizes text elements in a document on appearance, function, meaning, or context characterizes text elements in a document on appearance, function, meaning, or context  Simple Object Access Protocol (SOAP) for invoking code using XML over HTTP for invoking code using XML over HTTP  WS-Security set of SOAP extensions for implementing message integrity and confidentiality in Web services set of SOAP extensions for implementing message integrity and confidentiality in Web services  Security Assertion Markup Language (SAML) XML-based language for the exchange of security information between online business partners XML-based language for the exchange of security information between online business partners

Summary  reviewed network authentication using: Kerberos private-key authentication service Kerberos private-key authentication service X.509 public-key directory authentication X.509 public-key directory authentication public-key infrastructure (PKI) public-key infrastructure (PKI) federated identity management federated identity management